Outbound Webtraffic on different WAN IP for some Users

  • Hi,

    I'm fiddling with this Problem for a while now and the Problem is I don't get it to work.

    Situation is as follows:

    Some Machines should use a different External IP to surf (port 80 and 443)

    pfSense 2.3.2

    main WAN IP is in a /30 subnet (X.X.X.2) and Gateway is in the same (X.X.X.1) X.X.X.0 is the Network Name and X.X.X.3 should be the broadcast address so we are full.
    We got additional IPs in Y.Y.Y.112/29 wit the same gateway X.X.X.1 so Y.Y.Y.113 - Y.Y.Y.118 should be available as virtual IPs.

    Both hybrid and manual outbound NAT rules have no effect, checking external IP still has the main WAN IP displayed.

    The outbound NAT rule has one of the Y.Y.Y.x IPs as a test right now .114 and this is defined as single address virtual IP Alias with the /29 subnet on the WAN interface.
    In this rule the surce is defined as Z.Z.Z.Z/32 (a single machine from the LAN Subnet)

    The mapping looks like this in the gui:

    Interface:WAN  Source:Z.Z.Z.Z/32  Source Port:*  Destination:*  Destination Port:80 NAT Address:Y.Y.Y.114  NAT port: 80 Static Port: Crossed Arrows

    Any Idea what could go wrong? Do I have to wait some time or reset some cache?

    Thanks in advance,

  • Consider that the outbound NAT rules are applied from top to the bottom, where the first match wins.
    So if you have also other rules in place which would match to this parameters you have to put that one for the specific hosts to the top of the rule set.

  • Thanks for the Input, my test is the first 2 entries on top of the list, one for port 80 and one for 443.

  • I've seen that you've set a NAT port. This shouldn't be set. This will conflict with "static port".
    This is a source NAT rule. You need none of theme.

    Static port means, that the source port is the kept the same when packet going out to WAN as originating from the LAN host, while the NAT port forces it to 80.
    So you should delete the NAT port and uncheck static port.

  • Thank you very much, that was indeed the problem. I thought in the wrong direction, the port on the firewalls side can of course be random as long as on the remote side it hits the 80 / 443.

Log in to reply